From af785ea1f3bbc2407deec30f2ad82ea80db873d1 Mon Sep 17 00:00:00 2001 From: Adrian Johnson Date: Tue, 11 Oct 2016 23:05:53 +1030 Subject: [PATCH] Fix integer overflow https://bugs.freedesktop.org/show_bug.cgi?id=98165 --- src/cairo-png.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cairo-png.c b/src/cairo-png.c index 562b743..87e5bae 100644 --- a/src/cairo-png.c +++ b/src/cairo-png.c @@ -213,7 +213,7 @@ write_png (cairo_surface_t *surface, } for (i = 0; i < clone->height; i++) - rows[i] = (png_byte *) clone->data + i * clone->stride; + rows[i] = (png_byte *) &clone->data[i * (size_t)clone->stride]; png = png_create_write_struct (PNG_LIBPNG_VER_STRING, &status, png_simple_error_callback, @@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) } for (i = 0; i < png_height; i++) - row_pointers[i] = &data[i * stride]; + row_pointers[i] = &data[i * (size_t)stride]; png_read_image (png, row_pointers); png_read_end (png, info); -- 2.1.4